Enterprise Risk Management implementation – are there proven principles?
Many risk management practitioners are struggling with trying to ensure successful Enterprise Risk Management – ERM – implementation. If you are in that situation, a first step would be to review conditions for success of programs of all types – whether corporate, public policy, IT implementation, or new management practices – that have been demonstrated in the literature in this area. Then see how they apply to your risk management plan.Read the rest of this entry »

Enterprise Risk Management is now finding its place in creating strategic value.

Traditionally confined to either loss control in the realm of commercial insurance, or financial controls and audit, enterprise risk management has now taken an evolutionary step to encompass the entire spectrum of strategic and operational risk.

Risk has gained, in recent years, a high profile in the public mind, as waves of corporate malfeasance, natural disaster, security threats and economic meltdown have rocked the foundations of organizations in all sectors, and created profound distrust among stakeholders. ERM implementation is now proving its value as conventional risk management duties expand to embrace strategic planning and innovation.Read the rest of this entry »

In April 2009 I had some interesting work with the Alberta Urban Municipalities Association (AUMA-AMSC) in Edmonton. This diverse organization has a twin mandate – both advocacy and services – for local governments. The task was to get Enterprise Risk Management up and running.
Ken Baker, Controller, was project lead. He asked that we start with a plenary session, not to cover the theory of ERM, but rather to explain what it would mean in practice. In my presentation I focused on a few key messages before we began work:

a) Risk management is not a substitute for environmental scan and planning. Substantially known trends and conditions are not risks, they are facts. The risk is that the plans to meet them will be, for one reason or another, unsuccessful.

b) Established disciplines within the purview of risk management should not be mixed up in the same exercise. Each has their own nuances and categories of analysis. For example, IM/IT security and Business Continuity/Emergency Planning are two distinct things – even though they need to be coordinated in an overall ERM framework.

c) Scope, organizational boundaries, level (strategic vs. operational), time frame and stakeholder and client group analysis – all these need definition in a context paper for any given risk assessment. If not, assumptions on all those items keep invisibly shifting in the minds of participants – whether you are conducting interviews or a round table session. Failure to properly establish context always leads to mushy (that seem to be the best word for it) risk information.

After having checked context papers, mostly done by email as pre-work before I arrived on site, I led risk ID sessions with each working group. The content was varied and challenging, including benefits services, claims management, an energy (electricity and natural gas commodities) aggregation program, and IT systems. My role, after clarifying working principles, was to facilitate sessions –which means demonstrate the process and transfer capacity. Ken posted documents and templates on a Sharepoint site, and coordinated the successive work of departments.

Results

CEO John McGowan reported in the internal staff newsletter Between the Lines, April edition:

“the Directors of the first four participating departments were tasked with identifying the details of their operations in a context paper. This was followed by individual departmental sessions with the teams where a facilitator helped each group identify its own risks… According to one participant this had a ‘cathartic effect’ and left the teams with a new positive impression that ERM would assist them in the quality of decision-making, not create extra work.”

Next Steps

In later talks with Ken, we did some analysis and interpretation of the aggregate results. Those “cathartic” departmental sessions actually came together to paint a clear picture of critical aspects of the AUMA-AMSC operational risk profile. Ken has said that the next logical step is to conduct a strategic risk assessment at the board/exec level.

This shows that you can start at the operational level and implement ERM rapidly and with a minimum of bureaucratic overlay – the essential point is to prove and validate the core risk assessment methodology. I would recommend also conducting future scenarios planning at the strategic level to cover extreme conditions on critical business factors.

[Revised. Originally published 07 May 2010]

UPDATE: Ken Baker has subsequently become ERM Program Manager at City of Edmonton.

In the previous post ERM Implementation – Platitudes? I drew a distinction between the bureaucratic or formalistic side and the practical value side of any program or initiative. I thought I would post an ERM pdf – Implementation Tool focusing on just this aspect of enterprise risk management implementation. It is a diagnostic tool containing criteria that you will be able to apply to your organization.

Avoid confusion: people should recognize enterprise risk management as distinct from enterprise resource management. For example, resource management at NetSuite.com, a cloud computing technology leader, offers an application to help ensure the efficient allocation of resources within the organization. The roll out of cloud computing applications is discussed in the online course Managing IT/Cyber Risk. [Disclosure: ERTechnical receives an affiliate fee for NetSuite link.]

Here is a preview of some of the elements from each of the two sides of ERM methodology, with editorial comments in each category:

FORMAL SIDE

Selection of Risk Management Standard:
[Select an appropriate risk management standard in order to give uniformity to language and definitions. The standards more or less converge on similar concepts and order of steps. However, it will require interpretation in order to make it meaningful in the context of your work. You can’t rely on it as an implementation guide as it stands.]

Documented Corporate Policy:
[This is the outline of the application of the standard to your organization. The danger here is that it is much too long, with too much extraneous theory and especially advice that has been written in advance of practical trials.]

PRACTICAL VALUE SIDE

Investigation and Trials of Risk Identification Methods: at the Operational Level:
[These criteria are at the heart of the matter. An effective risk ID and assessment process, both at the strategic and operational level, is essential to successful enterprise risk management. This will ensure value and engaged participation. These points are covered in detail in the risk management online training course: How to Conduct High Quality Risk Assessment.]

Risk ID Methods Developed to Target Specific Work Functions:
[It is unlikely that a rigid and uniform risk methodology will work across all departments. Involving staff to develop and refine the methods, while observing compatibility across the organization, is a good way to make risk ID useful to them.]

The last part of the ERM tool is the assessment: to compare the formal and practical sides. The idea is not to discard the formal aspects altogether, but determine whether they are being used excessively. Perhaps you agree that it is better to lead with the second list; the practical work elements.

Rather than lead with too many formal aspects, you can develop them incrementally to support the proven practical work. This results in higher utility, sustainability and credibility of your ERM framework implementation.

Those wishing to study further the principles of program implementation, as applied to ERM, may be interested in a new Risk & Insurance Management Society online course to be launched later this year. It is called Special Case Studies in Risk Management. It includes a module called Overcoming ERM Resistance, with a 40-minute presentation, case study, and a more elaborate implementation tool with 24 criteria. I will post an announcement.

If you have been charged with implementing Enterprise Risk Management, I’m sure that you are familiar with promotions and pronouncements that run along these lines:

We want to embed ERM in the organization and get everyone to think about risk.

Employees must be risk-optimizing in their business decisions.

All employees are risk owners.

The focus of ERM is our assets and resources, and their exposures to risk.

The key to successful ERM is a robust communications plan.

The ERM program will reduce uncertainty and reduce volatility, improve our credit standing, and demonstrate compliance to the Board. This will translate into shareholder value.

Do these statements sound familiar? On the face of it, they sound like a wonderful plan for a mature risk culture. The trouble is, they don’t tell us how to achieve these benefits.

First, a caution. One of the statements reads:

>>The focus of ERM is our assets and resources, and their exposures to risk.

No. The focus of your ERM program is your organization’s goals and objectives – which flow from the strategic direction and values. The enterprise risk management definition is based on the concept of risk as the “effect of uncertainty on objectives” (ISO) or “the chance of something happening that will have an impact on objectives” (AS/NZS 4360).

In the order of things, mission, vision, and strategic direction are actually paramount. Furthermore, behavioural guidelines for public agencies or private companies – code of ethics, business rules, professional creeds, etc. – are elements of the organization that have economic value. They are definitely at risk, susceptible to analysis, and require risk mitigation. They are merely supported by assets and resources, which are of secondary consideration.

ERM Methodology: Focus on Bureaucracy or Value?

How to actually achieve ERM benefits is probably what concerns you most if you are in charge of implementing ERM. What is your approach?

I believe that all programs and initiatives, in any field, whether in a private sector firm or government, have their bureaucratic or formalistic side, and the practical value side.

The bureaucratic side consists of the promotional pronouncements like the ones above, describing the virtues, promises and supposed benefits of the new program. It is also in the policy. If this side is relied on too much – that is, if there is no genuine substance to the new program – then what you will see is mere lip service and avoidance; or compliance with pro forma templates and check-lists. It ultimately fails.

I recommend putting the practical value side first. Focus on a minimalist approach to enterprise risk management implementation: seek practical value; prove the core ERM methodology – that is, effective risk ID and assessment. This is at the heart of the organizational change you are seeking.

You might say: you can’t lead with the technical side: if you create a brilliant solution, but fail to communicate it, it’s a failed program. But I would much rather err on the side of unadvertised value than on the side of promoted fluff. It’s much better – and less risk – to build incrementally upon a firm foundation. A risk ID and assessment method that solves business problems sells itself.

Enterprise risk management is greatly helped by knowing how to do a risk assessment that obtains high quality results. I really think this is a key answer to difficulties reported in recent risk management surveys, and the best way to develop a culture that uses evidence-based and risk-optimized decision-making.

On my other site I’ve discussed the results of several risk management surveys 2008-2009, in an Introductory Presentation. It’s a veritable crisis, because many organizations don’t have confidence in their risk identification process, and implementation is often a dry compliance exercise. I’ve outlined a recommended approach in these posts:

The January 2010 Aon Global Enterprise Risk Management Survey (free download) reports improvement in overall ERM program maturity among 201 respondents, compared to results of three years ago (p.3). But is it the same target group? – 320 organizations participated in 2007. Selection bias would I think invalidate their conclusion. Anyway, the “hallmarks of top performing enterprise risk management programs” (p.3) are interesting even if only as exploratory research.

Well, 40% of this year’s respondents report “lack of tangible benefits” as an ERM implementation barrier; while lack of “skills and capability to embed ERM” (34%) and no “clear implementation plan” (28%) are also at fault (page 13).

In my next post I will give an example of a successful enterprise risk management plan. Comprehensive and rigorous risk ID and assessment are at the heart of it.